Save a generated login immediately if there are no saved logins for the site

Categories

(Toolkit :: Password Manager, enhancement, P2)

The Mozilla Toolkit is a set of APIs, built on top of Gecko, which provide advanced services to XUL applications. These services include Profile Management, Chrome Registration, Browsing History, Extension and Theme Management, Application Update Service, and Safe Mode. (More info)

Attachment #9067249 -
Attachment description: Bug 1548857 - Save a generated login immediately if there are no saved logins for the site → Bug 1548857 - Save a generated login immediately if there are no saved logins for the site. r=sfoster

These are the steps I took to verify this implementation, case where no password is being saved for the site in question:

Open browser with a new profile and change prefs in about:config :
"signon.generation.enabled" is the user pref to enable/disable the feature from about:preferences (not implemented yet).
"signon.generation.available" controls whether the feature is available for users (e.g. if the about:preferences UI should show).

Restart browser (not sure if it's required, but I'm not taking any chances)

Log into Yahoo (one of the sites where the feature works).

On the door-hanger, choose "Don't save" the credentials.

Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).

Double click inside the "New Password" / "Confirm Password" fields;

On the password manager's drop-down, select the generated password in both fields and change the password.

Go to Preferences/Privacy and Security/Login and Passwords/Saved Logins...
Notice that the generated password is saved inside the Saved Logins list (in the case of Yahoo, only the password is saved, not the username).
In this case, the username will need to be added manually in the Saved Logins modal.

A more edgy case, where a password is already saved:

Open browser with a new profile and change prefs in about:config :
"signon.generation.enabled" is the user pref to enable/disable the feature from about:preferences (not implemented yet).
"signon.generation.available" controls whether the feature is available for users (e.g. if the about:preferences UI should show).

Restart browser (not sure if it's required, but I'm not taking any chances)

Log into Yahoo (one of the sites where the feature works).

On the door-hanger, choose to "Save" the credentials.

Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).

Double click inside the "New Password" / "Confirm Password" fields;

On the password manager's drop-down, select the generated password in both fields and change the password.
NOTICE that the Password Manager door-hanger appears and offers to save the generated password, but with no username.

Go to Preferences/Privacy and Security/Login and Passwords/Saved Logins...
Notice that the generated password is saved as a new credential, the username will need to be added manually in the Saved Logins modal.

An even more edgy case, where a generated password is already saved:

Open browser with a new profile and change prefs in about:config :
"signon.generation.enabled" is the user pref to enable/disable the feature from about:preferences (not implemented yet).
"signon.generation.available" controls whether the feature is available for users (e.g. if the about:preferences UI should show).

Restart browser (not sure if it's required, but I'm not taking any chances)

Log into Yahoo (one of the sites where the feature works).

On the door-hanger, choose to "Save" the credentials.

Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).

Double click inside the "New Password" / "Confirm Password" fields;
NOTICE that the generated password is the same it was last time the user used a generated password.
NOTICE that the Password Manager door-hanger appears and offers to save the generated password, but with no username.
I believe that this case will be fixed when a different password will be generated every time the user attempts to change his password.

Matt, How do you think we should proceed in this case? Which case is unacceptable?
Should I also test other sites in order to validate this issue? See bug 1548381 for top 10 sites that allow for the password generator feature to work. Thanks.

I am reverifying this implementation now after some other changes were made:

These are the steps I took to verify this implementation, case where no password is being saved for the site in question:

Open browser;

Log into Yahoo/Google/Pinterest.

On the door-hanger, choose "Don't save" the credentials.

Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).

Fill in the old password manually. (No logins saved at this time)

Click inside the "New Password" field;
Observe: The Password Manager drop-down is displayed with the option to generate a password and the option to "View Saved Logins".

On the password manager's drop-down, select the generated password.
Observe: "Password saved!" message is displayed, the generated password is instantly auto-saved, but without a username (can be checked in the "about:logins" page) and a dismissed pop-up is shown in the bar (a key-like icon displayed in the address bar).

Click inside the "Confirm Password" field;
Observe: The Password Manager drop-down is displayed with the option to fill in the previously saved password (in step 7), the option to generate a password (the same one in the same session in the same site) and the option to "View Saved Logins".

On the password manager's drop-down, select the previously saved login or generated password (it's the same one).
Observe: The Confirm Password field is correctly filled.

Click on the "key-like" icon from the address bar.
Observe: For Google/Pinterest The username is filled inside the dismissed door hanger along with the generated password and the option to "Update" is available, while in the case of Yahoo, the username has to be filled in manually.

Click on the "Update" button to add the username to the saved generated password.
-> Google/Pinterest: Having to update (somewhat) manually by opening the dismissed door hanger and choosing to update is a bit annoying but the functionality is fine. Usability is the issue because some people will not open the dismissed door hanger to update the username!
In the case of Yahoo, the username has to be typed in manually, which is worse. <-

The password change process can be finished correctly.
This is the whole happy flow of this case when a set of credentials hasn't already been saved before the password change.

A more probable case, where a password is already saved:

Open browser.

Log into Yahoo/Pinterest/Google.

On the door-hanger, choose to "Save" the credentials.

Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).

Fill in the old password manually or it gets auto-filled.

Click inside the "New Password" field;
Observe: The Password Manager drop-down is displayed with the option to fill in the previously saved password (when logging in), the option to generate a password and the option to "View Saved Logins".

On the password manager's drop-down, select the generated password.
Observe: "Password saved!" message is displayed (->IS THIS INTENDED?<-), the generated password is instantly auto-saved as a NEW ENTRY, but without a username (can be checked in the "about:logins" page) and a dismissed pop-up is shown in the bar (a key-like icon displayed in the address bar).

Click inside the "Confirm Password" field;
Observe: The Password Manager drop-down is displayed with the option to fill in the previously saved password (in step 7) without a username, the "old" login that has a username, the option to generate a password (the same one in the same session in the same site) and the option to "View Saved Logins".

On the password manager's drop-down, select the previously saved login or generated password (it's the same one).
Observe: The Confirm Password field is correctly filled.

Click on the "key-like" icon from the address bar.
Observe: For Google/Pinterest The username is filled inside the dismissed door hanger along with the generated password and the option to "Update" is available, while in the case of Yahoo, the username has to be filled in manually, before clicking "Update".

Click on the "Update" button to add the username to the saved generated password.
-> THE USERNAME HAS NOT BEEN UPDATED, NOR ADDED TO THE NEWLY CREATED CREDENTIAL!!! <-

The password change process can be finished correctly.
This is the whole happy flow of this case when a set of credentials has already been saved before the password change. In the end, the user has 2 logins (the old password and the right username, and the new password with no username).

In conclusion, the functionality has been implemented but it has some problems:

When generating a password, the password is instantly saved, but with a blank username. (bug 1569554)

After generating a password, the "key-like" icon from the address bar can be clicked so the dismissed pop-up can be displayed and the username can be added to the saved credential set. If the user does not click the icon, the username will not be updated.

For some sites, when the dismissed pop-up is opened, it can be observed that the username has not been filled in, and the user has to manually fill it in (occurs on Yahoo, not on Google or Pinterest).

THE USERNAME HAS NOT BEEN UPDATED, NOR ADDED TO THE NEWLY CREATED CREDENTIAL!!! after step 11.

Matt, How do you think we should proceed in this case? What's already covered and what's not?
Thanks.

Although this has been landed in Fx69, the Password Generation feature for which this enhancement applies is only targeted for Fx70 and thus disabled by default on Fx69. As the plan from the beginning was to target Fx70, I will mark only 70 as verified and Fx69 as disabled, since IMO that reflects best the current status.

On the verification part, the conclusion from comment 11 is correct and it functions as expected (at least with the Skyline MVP in mind) with the exception of point4:

THE USERNAME HAS NOT BEEN UPDATED, NOR ADDED TO THE NEWLY CREATED CREDENTIAL!!! after step 11.

Although this has been landed in Fx69, the Password Generation feature for which this enhancement applies is only targeted for Fx70 and thus disabled by default on Fx69. As the plan from the beginning was to target Fx70, I will mark only 70 as verified and Fx69 as disabled, since IMO that reflects best the current status.

Sounds good

Flags: needinfo?(MattN+bmo)

You need to log in
before you can comment on or make changes to this bug.